Outsourcing und Data Protection

Similar documents
Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

Data Processing Clauses

Data Processing Agreement

Data Processor Agreement

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Data Processing Agreement

Terms and Conditions for Allegion Data Processing and Transfer

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Data Processing Agreement for Oracle Cloud Services

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

VISTRA ZURICH AG - PRIVACY NOTICE

DATA PROCESSING AGREEMENT

Google Cloud & the General Data Protection Regulation (GDPR)

Workday s Robust Privacy Program

Rules for Commissioned Processing. (DDV Declaration of Conformity)

DATA PROCESSING AGREEMENT

Keeper Data Processing Agreement

Individual Agreement. commissioned processing

German Data Processing Addendum MailChimp

Magento GDPR Frequently Asked Questions

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

HPE DATA PRIVACY AND SECURITY

Data Processing Agreement

UWTSD Group Data Protection Policy

Customer EU Data Processing Addendum

Data Processing Agreement

Data Processing Agreement

Accelerate GDPR compliance with the Microsoft Cloud

A1 Information Security Supplier / Provider Requirements

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

PRIVACY POLICY FOR THE LIDC 2018 INTERNATIONAL CONGRESS

DATA PROCESSING TERMS

GDPR Compliant. Privacy Policy. Updated 24/05/2018

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Fabric Data Processing and Security Terms Last Modified: March 27, 2018

Eco Web Hosting Security and Data Processing Agreement

Vistra International Expansion Limited PRIVACY NOTICE

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Motorola Mobility Binding Corporate Rules (BCRs)

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

Checklist: Credit Union Information Security and Privacy Policies

Data Processing Agreement DPA

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

GDPR compliance: some basics & practical to do list

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

Juniper Networks Data Subprocessing Agreement

Name: Aho Terhi Title: ecommerce Manager. Phone: terhi.aho(at)finavia.fi Name: Närvänen Carita Title: Development Manager

Google Ads Data Processing Terms

SSL Certificates Certificate Policy (CP)

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

To make that choice, please click under privacy policy the checkbox (

CTI BioPharma Privacy Notice

PerfectView Privacy Statement

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Wonde may collect personal information directly from You when You:

Saba Hosted Customer Privacy Policy

Embedding GDPR into the SDLC

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Data Processing Amendment to Google Apps Enterprise Agreement

SDL Privacy Policy Cloud Services

EU Data Protection Agreement

1 Privacy Statement INDEX

Swissmeda Data Policy and Privacy Statement (Referred to as Swissmeda Data Policy )

have concluded the following data processing agreement (hereinafter the Data Processing Agreement or this Agreement ):

Privacy Policy of the products of Ilves Solutions Ltd and Ilves Valmisohjelmistot Ltd / Ilveshaku

Minimum Requirements For The Operation of Management System Certification Bodies

DATA PROTECTION POLICY THE HOLST GROUP

ISO/IEC INTERNATIONAL STANDARD

SIX Trade Repository AG

Haaga-Helia University of Applied Sciences Privacy Notice for JUSTUS publication data storage service

DATA PROCESSING ADDENDUM

Public vs private cloud for regulated entities

CEM Benchmarking Privacy Policy

Information technology Security techniques Information security controls for the energy utility industry

Data Protection Policy

Version 1/2018. GDPR Processor Security Controls

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Client for Contractors (C4C) Security Agreement - Standard

Knowing and Implementing the GDPR Part 3

Privacy Shield Policy

PRIVACY POLICY. Personal Information We Collect

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

FINMA Circular 2008/21 (Excerpt) IT risk management concept Deal with cyber risk Handling of electronic client data

Data Protection and GDPR

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

ngenius Products in a GDPR Compliant Environment

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

EU Data Protection Agreement

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Deloitte Audit and Assurance Tools

VISTRA MONACO PRIVACY NOTICE

Arkadin Data protection & privacy white paper. Version May 2018

PRIVACY POLICY OF THE WEB SITE

Transcription:

Outsourcing und Data Protection Clara-Ann Gordon IAPP Workshop on Outsourcing, 9 May 2017

Subject Matter Outsourcing: depending on area different meaning and requirements However always personal data are involved: - Outsourcing of business divisions or tasks - Mandating external services - Transfer of data processing within the group or to a third party Legal Basis: - Art. 10a and 6 DPA - Cantonal Data Protection Laws: IT-Outsourcing of cantonal and communal administrations Responsibility always remains with outsourcer/controller Page 2

Applicability of Swiss Data Protection Act? Offshoring, Farshoring or Nearshoring? When does the Swiss DPA apply? - Principle of territoriality: data processing in Switzerland and access from abroad to server in Switzerland - However onwards transfer of personal data originating from Switzerland from a country abroad not subject to DPA - DPA does not apply, if personal data are directly acquired abroad (e.g. via Webserver) Caution: secrecy obligations (e.g. bank secrecy, professional secrecy obligations, etc.) or Blocking Statutes can generally prohibit the export No crossborder disclosure if personal data is anonymized or encrypted Page 3

Art. 10a DPA Article 10a DSG: Data Processing by Third Parties 1 The processing of personal data may be assigned to third parties by agreement or by law if: a. the data is processed only in the manner permitted for the instructing party itself; and b. it is not prohibited by a statutory or contractual duty of confidentiality 2 The instructing party must in particular ensure that the third party guarantees data security. 3 Third parties may claim the same justification as the instructing party. Page 4

Requirements of Art. 10a DPA Principal (Outsourcer) Mandate for data processing Third party Written agreement Subordinate relationship Processing in the same scope as the principal No adverse legal or contractual confidentiality obligations Data security Page 5

Provisions in Outsourcing Contract Required data protection clauses: - Reference to DPA provisions - Warranty of provider to comply with DPA provisions - Warranty of fulfilment of data protection claims of data subjects - Consent of controller for subcontracting by processor - Purpose definition for data processing by processor - Obligation of processor to subject its employees, auxiliary personnel, freelancers etc, to the comply with DPA provisions - Obligation of processor to comply with data security obligations Page 6

Outsourcing Privilege Benefits of Outsourcing Privilege: - Processor is not third party in the meaning of DPA - No registration requirement according to Art. 11a Abs. 3 lit. b DPA - No justification reasons necessary according to Art. 12 Abs. 2 lit. c DPA - No limitations of justification reasons according to Art. 9 Abs. 3 DPA - No obligations to inform data recipients according to Art. 7a DPA - No application of transparency principle (Art. 4 Abs. 4 DPA) and duty of information (Art. 7a DPA) Page 7

Special Questions Art. 10a DPA I Data Flows within the Holding: - Usually: transfer of data processing from one group company to another (inter-company agreements) - Question: data processing for own purposes and not for the outsourcing group company? Access of several group companies to data use however only for own purposes (Shared Service Center) Mutual ownership of data collections use however for own purposes Page 8

Special Questions Art. 10a DPA II Audit Right: - Controller is responsible for control (Oberaufsicht) - Proviso for supervision of necessary rights: Access for internal and external auditors Right to inspect infrastructure Right over type of data processing - Scope of audit right: any time or only quarterly, with or without prior notification etc. - In practice: major issue in the regulated sectors as a requirement by the authorities Page 9

Crossborder Data Processing Additionally fulfilment of requirements of Art. 6 DPA Usually requirements of Art. 10a and 6 DPA fulfilled with standard contracts Adequate protection: - Swiss Transborder Data Flow Agreement - EU-Model clauses - Privacy Shield CH Page 10

Common Problems when Outsourcing Location of Cloud? Mandating of Subproviders Outsourcing of personal data protected by law: Auxiliary personnel topic Handing back of Personal Data: - Which format? - Deal contractually with handing back formalities - Insolvency of provider / Cloud provider: no claim for handing over of personal data Page 11

Implications of revised DPA on Outsourcing? Draft Swiss DPA contains some new provisions: - Introduction of the terms controller and processor and respective duties - Duty of information extended as regards identity and contact details of controller - Controller has duty to obtain approval for engaging subprocessors - Controller has duty to obtain approval for EU model clauses Page 12

Contact Niederer Kraft & Frey Ltd Bahnhofstrasse 13 CH-8001 Zurich Switzerland Phone +41 58 800 8000 Fax +41 58 800 8080 Web http://www.nkf.ch Clara-Ann Gordon clara-ann.gordon@nkf.ch Page 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback